Dominic Cleal of Red Hat reports:
The kafo_configure puppet module creates /tmp/default_values.yaml world readable and without checking for it's existance. This creates a race-condition that would allow a local attacker to control the contents of the file which stores default values for all parameters (such as auto-generated passwords).
References:
http://projects.theforeman.org/issues/4648

Note

You need to
log in
before you can comment on or make changes to this bug.